Stealing secrets

UK organisations lost £16.8 billion through the cyber-theft of corporate secrets in 2010, according to a study from the UK government and information security firm Detica.

With total losses estimated at £27 billion, the theft of corporate secrets accounted for almost 60% of all UK cyber-crime losses suffered by businesses and government.

Published in February 2011, 'The Cost of Cyber Crime' raises questions about the state of IT security. It will also challenge many assumptions about the nature of IT-based crime and the damage it is causing.

For example, identity theft, online fraud, denial-of-service attacks and theft of customer data are perhaps the highest profile types of cyber-crime. But the study shows that the combined losses from these widely reported crimes are less than half of those attributed to stolen secrets.

In the world of cyber-crime, the term advanced persistent threat, or APT, is increasingly used to categorise cyber burglary that is sophisticated, organised and determined.

The other defining characteristic of an APT is its specific purpose: stealing corporate secrets.

Referred to as Operation Aurora by security firm McAfee, a series of APTs - apparently from the same source - hit a number of US firms in 2009, including Google, Northrop, Grumman, Dow Chemical, Yahoo and Adobe.

In a March 2011 fiasco of leaked e-mails from its IT security consultants, the investment bank Morgan Stanley was unwillingly 'outed' as another of Aurora's official victims. And later that month, one of the world's leading IT security firms, RSA, announced that secrets about its IT access control product were specifically targeted and stolen. In its Web site announcement, the company referred to the attack as an APT.

Over 40 million people at about 30 000 companies access their IT systems via SecurID - RSA's two-factor authentication product that uses a little device to generate a one-time-PIN or OTP. A username is entered, and a 'normal' PIN, then the added OTP is displayed on a 'generator'.

It now seems that users might also have to hold thumbs as an additional step in this authentication process, because it's being speculated that the product may have been badly compromised by the cyber-villains.

So, how widespread is the APT danger? After the virtual horses had bolted from his server rooms, Arthur Coviello, RSA's executive chairman, said: “APT threats are becoming a significant challenge for all large corporations, and it's a topic I have discussed publicly many times.”

For the sake of the bottom line, let's hope a lot more people are listening, because cyber-villains have just nicked part of the IT access rights for 30 000 organisations. Why on earth would they want to do that? What motivates someone to steal secrets from RSA?

Perhaps the answer is that the days of crowbars and safe-cracking are coming to an end. Nowadays, it seems that cyber-smart villains are using passwords, cards and PINs to get at the digital loot. And the most valuable loot comes in the form of corporate secrets.

For an industry that adores progress, it's weird how quaint IT is when it comes to security. Perhaps more than any other sector, IT sustains itself on development in a seemingly quenchless thirst for improvement.

For an industry that adores progress, it's weird how quaint IT is when it comes to security.

Mark Eardley is channel manager at SuperVision Biometric Systems.

And yet the vast majority of the world's digitally-enabled will have opened their IT day with nothing more than a password.

A small minority might have used a chip and PIN 'smartcard' or a password and PIN combo. But these measures do nothing to address the fact that such credentials are still routinely lost, forgotten and shared. And the APT at RSA shows that villains want to steal them.

IT systems costing countless billions - and containing digital secrets worth far more - were accessed this morning using something about as effective as an ashtray on a motorbike.

This extraordinary lack of IT progress only tells one part of the security story. It may be an inconvenient truth, but the abuse of these traditional credentials lies at the heart of most IT-based corporate crime. Anyone can use another person's card, PIN or password.

Result? For the top cyber-villains, it's 'open sesame' as they tuck into some more juicy corporate secrets.

Ever heard the warnings about password vulnerabilities that are leveraged within social media? About how people use the same passwords for these sites as they do to access their workplace systems? About how social media is like a password supermarket for cyber-criminals?

Well, Google says its exposure to the Aurora APT started with an attempt to discover the passwords of specific employees. Information on these 'targets' was apparently gathered from social media networks and was used to motivate visits to a photo Web site set up by the people behind Aurora.

One of the Google targets clicked on a link to the site, allowing the cyber-criminals to establish a connection to the victim's machine and use their password to access to other Google servers.

Considering the value of the secrets being targeted by the villains, there's clearly plenty of motivation for them to acquire access credentials.

Given the scale of the losses referred to in the Detica study, it seems that cyber-criminals who are targeting corporate secrets are running rings around IT security - at least according to the UK minister for security.

Speaking at the launch of the study, the minister said many companies in the country do not know what the normal functioning of their IT systems looks like because they don't actually know enough about their own systems.

In other words, organisations are not doing enough to protect themselves from the cyber-threat.

As an advocate of fingerprint-based IT authentication, I'm obviously going to point out that protecting corporate secrets means winning back far more control over who can access them.

The evidence is overwhelming that the status quo in user authentication just isn't working. If cards, PINs and passwords are no longer an effective barrier to the cyber-theft of secrets, is it perhaps time for IT to stop relying on them?